Thursday, March 31, 2011

OWA 2010 - You don't have permission to open this page

I just performed cross-forest migration of a number of mailboxes. Mailboxes come across as "linked" mailboxes linking to the account in the source forest. To link the mailboxes to the new user account in the destination forest I used the Disable-Mailbox command to unlink the mailbox from the old account followed by the Connect-Mailbox to link the mailbox to the new user account in the destination forest. Users who had been migrated across to the new forest had problems accessing "Options" in Outlook Web App.

Sorry! Access denied

You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again. If the problem persists, contact your administrator.

I went and created a new mailbox user in the destination forest which I did not migrate. This worked fine. I went and compared attributes between my "test" mailbox account and "jim's" mailbox account.

There were a couple of differences. Jim's mailbox did not have a Role Assignment Policy. The RoleAssignmentPolicy parameter specifies the management role assignment policy to assign to the mailbox when it's created or enabled. If you don't include this parameter when you create or enable a mailbox, the default assignment policy is used. All mailboxes must have at least the default policy! I set the default policy as follows on Jims account